A Deloitte series on digital manufacturing

Industry 4.0 and cybersecurity Managing risk in an age of connected production Industry 4.0 and cybersecurity

Deloitte Consulting LLP’s Supply Chain and Manufacturing Operations practice helps companies understand and address opportunities to apply Industry 4.0 technologies in pursuit of their busi- ness objectives. Our insights into additive manufacturing, IoT, and analytics enable us to help organizations reassess their people, processes, and technologies in light of advanced manufactur- ing practices that are evolving every day.

COVER IMAGE BY EVA VAZQUEZ Managing risk in an age of connected production

Contents

Introduction | 2

The digital supply network | 6 Changing supply chain, evolving cyber risks

The smart factory | 8 Facing new cyber risks in the age of smart production

Connected objects | 13 Expanding risks to the physical object

Being secure, vigilant, and resilient in the age of Industry 4.0 | 17

Endnotes | 18

About the authors | 20

Acknowledgements | 21

Contacts | 21

1 Industry 4.0 and cybersecurity

Introduction

The fourth industrial revolution brings with it a new operational risk for con- nected, smart manufacturers and digital supply networks: cyber. The inter- connected nature of Industry 4.0–driven operations and the pace of digital transformation mean that cyberattacks can have far more extensive effects than ever before, and manufacturers and their supply networks may not be prepared for the risks. For cyber risk to be adequately addressed in the age of Industry 4.0, cybersecurity strategies should be secure, vigilant, and resil- ient, as well as fully integrated into organizational and information technology strategy from the start.

N 2009, malware manipulated the speed of centri- These new and emerging risks should be managed fuges in a nuclear enrichment plant, causing them and mitigated. to spin out of control. This malware, now known I The increased connectivity of smart machinery, a as Stuxnet, was introduced into stand-alone net- shift known as Industry 4.0, raises the stakes. Indus- works via flash drives, and it autonomously spread try 4.0 heralds a new age of connected, smart manu- across production networks. Stuxnet’s sophistica- facturing, responsive supply networks, and tailored tion serves as a powerful example of cyberattacks’ products and services. Through its use of smart, potential as weapons in the world of connected autonomous technologies, Industry 4.0 strives to physical factories.1 And the battle is decidedly un- marry the digital world with physical action to drive balanced: Organizations must protect a wide swath smart factories and enable advanced manufactur- of technology, while attackers need only pinpoint ing.2 But while it plans to enhance digital capabili- the weakest link. ties throughout the manufacturing and supply chain It is important, however, that we balance our focus processes and drive revolutionary changes to con- between the external threat landscape and the very nected devices, it also brings with it new cyber risks real—and typically overlooked—cyber risks created for which the industry is unprepared. Developing a by businesses who are increasingly using smart, fully integrated strategic approach to cyber risk is connected technologies to innovate, transform, fundamental to manufacturing value chains as they modernize, and otherwise make tactical or strate- marry operational technology (OT) and information gic business decisions that could result in such risk. technology (IT)—the very force driving Industry 4.0.

2 Managing risk in an age of connected production

As threat vectors radically expand with the advent In this paper, we examine the modern connected of Industry 4.0, new risks should be considered and digital supply networks, smart factories, and con- addressed. Put simply, the challenge of implement- nected device themselves, focusing on the unique ing a secure, vigilant, and resilient cyber risk strat- cyber risks faced by each.3 Moving through the egy is different in the age of Industry 4.0. When sup- production life cycle (figure 1)—from the digital ply chains, factories, customers, and operations are supply network, to the smart factory, and finally to connected, the risks posed by cyberthreats become the connected object—we explore the actions opera- all the greater and potentially farther reaching. tions and information security executives can take to anticipate and effectively address cyber risks as Thinking about how to address cyber risk at the end well as proactively integrate cybersecurity into their of the strategic process is simply likely too late. Cy- strategy in the age of Industry 4.0. bersecurity should become an integral part of the strategy, design, and operations, considered from the beginning of any new connected, Industry 4.0– driven initiative.

Figure 1. Smart production life cycle and cyber risk Secure, vigilant, Production life resilient cycle stage categorization Cyber imperative Objective

Digital supply Secure, vigilant, Data sharing Ensure integrity of systems so private, network resilient proprietary data cannot be accessed

Secure, vigilant, Vendor processing Maintain trust when processes cannot resilient be validated

Smart factory Vigilant Health and safety Ensure safety for both employees and the environment

Vigilant, resilient Production and process Ensure continuous production and resilience/efficiency recovery of critical systems

Vigilant, resilient Instrumentation and Protect the brand and reputation of proactive problem the organization resolution

Secure, resilient Systems operability, Support the use of multiple vendors reliability, and integrity and software versions

Vigilant, resilient Efficiency and cost Reduce operating costs and increase avoidance flexibility with remote site diagnostics and engineering

Secure Regulatory and due Ensure process reliability diligence

Connected object Secure Product design Employ secure software development life cycle to produce a functional and secure device

Vigilant Data protection Maintain the safety of sensitive data throughout the data life cycle

Resilient Remediation of attack Minimize the effects of an incident effects while quickly restoring operations and security

Deloitte University Press | dupress.deloitte.com

3 Industry 4.0 and cybersecurity

DIGITAL MANUFACTURING ENTERPRISES AND INDUSTRY 4.0 The Industry 4.0 technologies that enable digital manufacturing enterprises and digital supply networks involve the integration of digital information from many different sources and locations to drive the physical act of manufacturing and distribution. This integration of information technology and operations technology is marked by a shift toward a physical-to-digital-to-physical connection. Industry 4.0 combines the Internet of Things (IoT) and relevant physical and digital technologies, including analytics, additive manufacturing, robotics, high-performance computing, artificial intelligence and cognitive technologies, advanced materials, and augmented reality, to complete that cycle and digitize business operations.

The concept of Industry 4.0 incorporates and extends the IoT within the context of the physical world—the physical-to-digital and digital-to-physical leaps that are somewhat unique to manufacturing and supply chain/supply network processes (figure 1). It is the leap from digital back to physical—from connected, digital technologies to the creation of a physical object—that constitutes the essence of Industry 4.0, which underpins the digital manufacturing enterprise and digital supply network.

Figure 2. The physical-to-digital-to-physical leap of Industry 4.0

. naye and isuaie Macines tak to eac oter to sare inforation aoing for adanced anatics and isuaiations of reatie data fro utipe sources

II I . stabis a diita recrd apture inforation fro te psica ord to create a digita record of te psica operation and supp netork . enerate eent pp agorits and autoa tion to transate decisions and actions fro te digita ord into oeents in te psica ord

ource enter for ntegrated esearc Deloitte University Press dupress.deloitte.com

Even as we explore the ways in which information creates value, it is important to understand value creation from the perspective of the manufacturing value chain. Throughout the manufacturing and distribution value network, business outcomes may emerge from the integration of information and operations technologies via Industry 4.0 applications.

For further information, visit Industry 4.0 and manufacturing ecosystems: Exploring the world of connected enterprises.3

4 Managing risk in an age of connected production

The digital supply network Changing supply chain, evolving cyber risks

HE supply chain—how materials enter into participants in the supply network, which creates a the production process, and semi- or fully fin- significant hurdle; it will likely be difficult to strike Tished goods are distributed outside—is funda- a balance between allowing transparency for some mental to any manufacturing organization. It is also data and maintaining security for other information. tightly connected to consumer demand. Many glob- Organizations may thus want to consider ways to al organizations use demand forecasts to determine secure that information to prevent unauthorized the quantity of materials necessary, manufacturing users from accessing it across the network. They line requirements, and distribution channel loads. would also likely need to remain disciplined about Analytics have also become more sophisticated, so maintaining those safeguards across all supporting that today’s organizations are able to utilize data processes, such as vendor acceptance, information and analytics to understand and predict customer sharing, and system access. Not only may these pro- buying patterns. cesses be proprietary in their own right, they may Industry 4.0 technologies are expected to prompt also potentially serve as access points to other inter- a further evolution in the traditional linear supply nal information. chain structure by introducing intelligent, connect- This may also place more strain on third-party risk ed platforms and devices across the ecosystem, management. In analyzing the cyber risks of inter- resulting in a digital supply network (DSN) capa- connected DSNs, we have identified two main areas ble of capturing data from points across the value impacted by increased supply chain connectivity: chain to inform each other. The result may be better data sharing and vendor processing (figure 3). management and flow of materials and goods, more efficient use of resources, and supplies that more ap- We discuss each area as well as potential strategies propriately meet customer needs.4 for addressing increased cyber risks below.

For all its benefits, however, the increasing inter- connectedness of the DSN also brings with it cyber DATA SHARING: INCREASED ACCESS weaknesses that should be properly planned and TO DATA FOR MORE STAKEHOLDERS accounted for in every stage, from design through Organizations will likely need to consider what data operation, to prevent significant risks. should be shared, and how to protect the systems and underlying data that may be proprietary or have The cyber risks of sharing privacy risks. For example, some suppliers in a par- ticular DSN may be competitors in other areas, and data across the DSN may not wish to make certain types of data available, such as pricing or information about proprietary As the DSN evolves, one expected outcome is the materials. Alternatively, the suppliers may be sub- creation of a network that allows real-time, dy- ject to regulations that limit the type of information namic pricing of materials or goods based upon the that can be shared. Opening up just part of the data demand of purchasers relative to the supply avail- may make it possible for those with malicious intent able.5 But a responsive, agile network of this nature to gain access to other information. is made possible only by open data sharing from all

5 Industry 4.0 and cybersecurity

Figure 3. Smart imperatives and risks Secure, vigilant, Production life resilient cycle stage categorization Cyber imperative Objective

Digital supply Secure, vigilant, Data sharing Ensure integrity of systems so private, network resilient proprietary data cannot be accessed

Secure, vigilant, Vendor processing Maintain trust when processes cannot resilient be validated

Deloitte University Press | dupress.deloitte.com

Organizations should utilize good hygiene VENDOR PROCESSING: VENDOR techniques such as network segmentation and in- ACCEPTANCE AND PAYMENT termediary systems that serve as “middlemen” to IN A BROADER MARKET gather, protect, and provide information. Addition- ally, technologies such as trusted platform modules Expansion of a core group of suppliers to a broader or hardware security modules should be incorporat- network will likely disjoint current vendor accep- ed into future devices to provide robust cryptologic tance processes, as new partners could bring their support, hardware authentication, and attestation own systems into the mix. Governance, risk, and (that is, detect when unauthorized changes are compliance (GRC) software to track third-party ac- made to the device). By combining this approach ceptance and risk would thus need to react faster with robust access controls, mission-critical opera- and even autonomously. Further, information se- tions technology is secured at the application points curity and risk management teams leveraging these and endpoints to protect its data and processes. applications would need to develop new policies and guidelines to adequately secure themselves against Where data must be available in part, or the data fraudulent vendors, internationally sanctioned sensitivity is high, other industries such as financial suppliers, and subpar product distributors. These services provide examples of protecting information. effects have been experienced in consumer open Here, organizations are leveraging tools such as en- markets where counterfeit goods and fake store- cryption and tokenization for data at rest and in fronts create headaches for organizations such as transit to safeguard communications if they are in- eBay and Amazon.6 tercepted or systems are compromised. While on its path to interconnectedness, the financial services in- Blockchain has been suggested as a technology to dustry realized that it is no longer typically adequate help solve these woes and address potential pay- to focus solely on security to address data privacy ment process changes. The process of establishing and confidentiality risks, and that these techniques a historical record for currency is best known in the should be married with other techniques, such as example of bitcoin, but other organizations are ex- data governance. Indeed, organizations should ploring ways to use this new tool to determine the perform risk assessments across their environ- flow of goods from production line through layers ment, including enterprise, DSN, industrial control of purchasers.7 Creating a historical ledger that is systems, and connected products, and use those as- shared by a community establishes trust and visibil- sessments to determine or update their cyber risk ity, providing protection for buyers and sellers by strategies. Taken together, all of these approaches certifying a good’s authenticity, enabling the track- can help to identify where higher levels of preven- ing of goods movements for logistical purposes, and tion are warranted as connectivity increases. categorizing products more specifically than by lots or batches when handling recalls or defects. In the

6 Managing risk in an age of connected production

absence of this level of assurance of product authen- many ways to the responsive, agile DSN. It contains ticity, manufacturers may want to perform testing competitive intellectual property and the keys to and certification of products to ensure adequate resources on which organizations depend to sur- security before incorporating them into their envi- vive—all of which, as with a DSN, could be potentially ronment or products. vulnerable when deployed in cloud and integrated third-party relationships. This risk has been realized The connecting element between these two areas, in the financial services arena where algorithms are data sharing and vendor processing, is trust. Or- being targeted internally and externally. This has led ganizations may need to keep evolving their risk to increased security and vigilance for the software management to preserve integrity and remain se- code and insider threat programs to combat inter- cure when transacting information or goods, as well nal risks, both overt (corporate espionage, sabotage, as strengthening their monitoring capabilities and and so on) and unintended (complacency, ignorance, cybersecurity operations to remain vigilant, protect- and so on). Indeed, vigilance could be particularly ing those processes when trust cannot be validated. important with respect to monitoring: As manufac- As they seek to do so, DSN members can learn from turers move beyond the DSN to apply Industry 4.0 other sectors’ approaches to managing cyber risk. technologies to production itself, cyber risks will The automated trading model used by financial likely only evolve and multiply. and energy corporations, for example, is similar in

7 Industry 4.0 and cybersecurity

The smart factory Facing new cyber risks in the age of smart production

UST as adding connectivity to the DSN intro- cyber risk assessments of industrial control systems duces new risk vectors, so too does smart man- (ICS) operating on factory floors.12 Jufacturing. Those risks not only increase and To be sure, risks to manufacturers have existed diversify, but also possibly exponentially. Recent as long as production has been mechanized, with Department of Homeland Security publications cyberthreats augmenting and adding to physical Strategic principles for securing the Internet of threats as technology has progressed. But Industry Things and Security tenets for life critical embed- 4.0 heralds the greatest leaps in cyber risk to date. ded systems highlight the issues at hand by examin- The nature of these leaps is described in figure 4. ing the risks associated with life-critical embedded systems manufacturers may deploy in production, both directly and indirectly.10 Evolving operational The broad definition of the term “life-critical em- and security concerns: bedded systems” means that almost any connected Moving from Industry device, whether on the shop floor in an automated system or remotely located at a third-party contract 3.0 to Industry 4.0 manufacturer, should be considered a risk—even From an operational perspective, modern ICS en- those that only peripherally or indirectly touch vironments allow engineers to deploy unmanned the production process.11 This increased risk and sites while maintaining high efficiency and resource dramatically expanded threat surface require a fun- control. They do so by using connected systems such damental change in how security is viewed within as enterprise resource planning, manufacturing Industry 4.0–driven manufacturing. execution, and supervisory control and data acqui- sition systems. These connected systems can often Connected production streamline processes and make things easier and creates new cyber challenges more efficient, and they have continued to evolve as systems have become more automated and autono- As production systems grow ever more connected, mous (figure 5). cyberthreats increase and broaden beyond those From a security perspective, the increased network- seen in the DSN. It is not hard, for example, to imag- ing and usage of commercial off-the-shelf (COTS) ine that misused or manipulated requests for ad hoc products in ICS introduces a variety of exposure production lines can result in financial loss, low points that could be abused by threat actors. In product quality, and even safety concerns for work- contrast to generic IT where the focus is the in- ers. Further, connected factories may be vulnerable formation, ICS security focuses on the industrial to shutdowns or other attacks. Moreover, evidence process. Therefore, the targets in the smart factory exists that manufacturers may not be prepared primarily focus on the availability and integrity of for the cyber risks their connected, smart systems the physical process rather than confidentiality of present: A 2016 Deloitte-MAPI study found that information, as with traditional cyber risk. one-third of manufacturers have not performed any

8 Managing risk in an age of connected production

Figure 4. Progression of cyber and physical threats for each industrial revolution

First online-ordered mass production in a customizable smart factory

First Business trends programmable HIGH controller First mehanical First assembly loom line INDUSTRY 4.0 Ubiuitous production and control INDUSTRY 3.0 INDUSTRY 2.0 Controller-based INDUSTRY 1.0 Electricity-based automation Steam-based mass production mechanical production Cyberthreats

Physical threats System compleity Cost of process reconfiguration Cost of maintenance Single vendor dependency Consumer involvement

LOW 1784 1870 1969 2014

ource eoitte Deloitte University Press dupress.deloitte.com

From an operational perspective, modern ICS en- vironments allow engineers to deploy unmanned The potential impacts sites while maintaining high efficiency and resource control. They do so by using connected systems such of these attacks on as enterprise resource planning, manufacturing execution, and supervisory control and data acqui- production, customers, sition systems. These connected systems can often streamline processes and make things easier and manufacturers, and the more efficient, and they have continued to evolve as systems have become more automated and autono- products themselves mous (figure 5). may grow broader From a security perspective, the increased network- ing and usage of commercial off-the-shelf (COTS) and potentially products in ICS introduces a variety of exposure points that could be abused by threat actors. In more significant.

9 Industry 4.0 and cybersecurity

Figure 5. Evolution of technologies and related cyberthreats in industrial control systems ICS

First programmable First online-ordered mass production controller in a customizable smart factory

Security-related trends HIGH

INDUSTRY 3.0 INDUSTRY 4.0

PLC system Networked control Industrial Internet

Serial LAN, TCP/IP Ad hoc connection Internet Data collection and monitoring throughout product Ladder logic Vendor scripting language life cycle Unmanned sites, Market-driver planning, asset utilization and supply SCADA, ERP

Technology chain, ad-hoc production lines

DoS on PLC and vendor software Malicious market campaigns (e.g., as input from PLC failure due to malformed packets consumer, supply chain, logistics, stock exchange) MitM causing false information to operators Product botnets Cyber- threats Privacy breach of product usage Number of potential cyberthreats Usage of COTS components Sensitive data echange Process isolation

LOW 1969 2014

te oca area netork enia of erice o ransission ontro rotoconternet rotoco rograae ogic controer uperisor contro and data acuisition Maninteidde attack MitM nterprise resource panning

ource eoitte Deloitte University Press dupress.deloitte.com

contrast to generic IT where the focus is the in- attack become more advanced (figure 5). Indeed, as formation, ICS security focuses on the industrial Industry 4.0 connectivity continues to proliferate process. Therefore, the targets in the smart factory across not only the digital sphere but also the physi- primarily focus on the availability and integrity of cal world, the potential impacts of these attacks the physical process rather than confidentiality of on production, customers, manufacturers, and the information, as with traditional cyber risk. products themselves may grow broader and poten- tially more significant (figure 6). Notably, however, while the basics of cyberattacks remain the same, the methods of delivering the

10 Managing risk in an age of connected production

Figure 6. Smart factory imperatives and risks Secure, vigilant, Production life resilient cycle stage categorization Cyber imperative Objective

Smart factory Vigilant Health and safety Ensure safety for both employees and the environment

Vigilant, resilient Production and process Ensure continuous production and resilience/efficiency recovery of critical systems

Vigilant, resilient Instrumentation and Protect the brand and reputation of proactive problem the organization resolution

Secure, resilient Systems operability, Support the use of multiple vendors reliability, and integrity and software versions

Vigilant, resilient Efficiency and cost Reduce operating costs and increase avoidance flexibility with remote site diagnostics and engineering

Secure Regulatory and due Ensure process reliability diligence

Deloitte University Press | dupress.deloitte.com

Combining IT and the OT: tion downtime reflects loss of money, but re- covery of critical processes can result in greater Digital meets physical losses, given the time to rebuild and restart.

Implementing Industry 4.0 technologies likely ne- • Instrumentation and proactive problem cessitates that manufacturers consider both the resolution: Corporate brand and reputation digital processes and the machinery and objects increasingly play a role in the global business that could be impacted. This can be commonly market. In practice, malfunctions or production known as uniting the IT and OT. As we examine issues in plant sites can be critical to reputation, factors that drive operational and developmental and changes in the environment should be act- priorities of companies running industrial or manu- ed upon to protect the brand and reputation of facturing processes that involve IT and OT, several the organization. strategic imperatives and operational values can be identified, along with corresponding cybersecurity Second, organizations need to respond to different actions (figure 7). operational values in their daily business:

First, manufacturers are commonly driven by three • Systems operability, reliability, and in- strategic imperatives: tegrity: To reduce the cost of ownership and ease component replacement, sites could invest • Health and safety: Safety for both employ- in interoperable systems that support the use of ees and the environment is typically paramount multiple vendors and software versions. for every site. As technology develops, intel- ligent safety equipment could be upgraded in • Efficiency and cost avoidance: Sites are future environments. continuously under pressure to reduce operat- ing costs. In the future, businesses may invest • Production and process resilience and ef- more in COTS equipment and flexibility with re- ficiency: It is often critical to ensure continuous mote site diagnostics and engineering. production at all times. In practice, any produc-

11 Industry 4.0 and cybersecurity

Figure 7. Smart factory business drivers and threat landscape

System operability, Health and reliability, and integrity safety

Production and process Reconcile resilience/efficacy operational goals Define ICS Efficiency and enterprise cost avoidance and strategic imperatives

Instrumentation and Regulatory and proactive problem due diligence resolution

Map to ICS threat landscape

ICS threat ICS threat actor ICS attack ICS cyber actor motive techniues surface defense

ource eoitte Deloitte University Press dupress.deloitte.com

• Regulatory and due diligence: Regulators the product itself. As products are increasingly con- require different requirements on safety and nected—both to each other and, at times, even back cybersecurity in ICS environments. In the fu- to the manufacturer and supply network—organi- ture, businesses may have to invest even more zations should realize that the cyber risk no longer in changes within the environment to ensure ends once the product has been sold.14 process reliability.

Cyber risks in the age of Industry 4.0 extend beyond the supply network and manufacturing, however, to

12 Managing risk in an age of connected production

Connected objects Expanding risks to the physical object

Y 2020, it is estimated that over 20 billion IoT firmware, and the vendors offered users no mecha- devices will be deployed around the world.15 nism to change those passwords. Existing industrial BMany of these devices may find their way into production facilities often lack the security sophis- manufacturing facilities and production lines, but tication and infrastructure to detect and counter many others are expected to move out into the mar- such an attack once it breaks through the perimeter ketplace where customers, whether B2B or B2C, can protection.19 purchase and use them. The 2016 Deloitte-MAPI survey noted that close to Increasing production, half of manufacturers use mobile apps for connected increasing risk products, while three-quarters use Wi-Fi networks 16 to transmit data to and from connected products. As production facilities increase integration and de- Use of these sorts of avenues for connectivity often ployment of IoT devices, it typically becomes even open up considerable vulnerabilities. IoT device more important to consider the security risks these manufacturers should thus consider how to incor- devices pose to manufacturing, production, and porate stronger, more secure software development enterprise networks. Security implications of com- practices into existing IoT development life cycles to promised IoT devices include production downtime, address the significant cyber risk these devices often damage to equipment or facilities that could include present. catastrophic equipment failure, and, in extreme cases, loss of life. In addition, potential monetary This can prove challenging. Expecting consumers losses are not limited to production downtime and to update security settings, apply effective security incident remediation but can extend to fines, liti- countermeasures, update device firmware, or even gation expenses, and loss of revenue from brand change default device passwords has often proven damage that can persist for months or even years, unsuccessful. For example, an October 2016 IoT well beyond an actual incident. Current approaches distributed denial of service (DDoS) attack via the to safeguarding connected objects, some of which Mirai malware showed how attackers could lever- are listed below, may prove insufficient as both ob- age these weaknesses to conduct a successful attack. jects and attendant risks proliferate. In the attack, a virus infected consumer IoT devic- es such as connected cameras and televisions and turned them into botnets, bombarding servers with TRADITIONAL VULNERABILITY traffic until they collapsed and impeding access to MANAGEMENT multiple popular websites across the United States Vulnerability management programs can effectively for the better part of a day.17 Researchers identi- reduce identified vulnerabilities through scanning fied that the compromised devices used to conduct and patching cycles, but often multiple attack sur- the DDoS attack were secured with vendor default faces remain. An attack surface can be an open TCP/ passwords and had not received required security IP or UDP port or exposed technology that, while patches or updates.18 It should be noted that some not vulnerable today, may have an unknown vulner- vendor passwords were hard-coded into the device ability waiting for an attacker to discover.

13 Industry 4.0 and cybersecurity

ATTACK SURFACE REDUCTION TALENT SHORTFALLS

Put simply, attack surface reduction (ASR) is the A 2016 Deloitte-MAPI study found that 75 percent concept of reducing or eliminating these attack sur- of executives surveyed believe they lacked the skilled faces. ASR begins with IoT device manufacturers talent resources needed to effectively implement designing, building, and deploying hardened de- and maintain a secure connected production eco- vices with only the most essential services exposed. system.21 As the complexity and sophistication of The ownership of security should not lie solely with attacks increase, it is becoming increasingly difficult either the IoT device manufacturer or users; rather, to find the highly skilled cybersecurity talent needed it should be equally shared between them. to design and implement secure, vigilant, and resil- ient cybersecurity solutions. UPDATE PARADOX The cyberthreat landscape continues to evolve, Another challenge to production facilities is the so- becoming more technically complex. Advanced called update paradox. Many industrial production malware, armed with zero-day exploits, that au- networks are rarely updated, as it is costly for man- tonomously targets vulnerable devices and spreads ufacturers to schedule the production downtime to with little human intervention is likely to over- do so. For some continuous-processing facilities, power an already challenged IT/OT security staff. shutdowns and stoppages can result in the loss of This disturbing trend highlights the need for IoT expensive raw production materials. device manufacturers to produce security-hardened devices. To compound this update paradox, many of these connected devices are expected to remain in service for the next 10 to 20 years. It is typically unrealistic Taking an integrated to assume that a device will remain secure through- approach to out the device’s lifespan without applying software patches.20 For production and manufacturing fa- protecting devices cilities, it is important to maximize manufacturing The IoT devices that perform some of the most asset utilization while, at the same time, minimizing critical and sensitive tasks in industry—including downtime. IoT device manufacturers have a respon- controlling the generation and distribution of power, sibility to produce IoT devices that are inherently water purification, chemical production and refine- more secure and hardened to a level where minimal ment, manufacturing, and automated assembly attack surfaces exist, and configured to have the lines—are often the most vulnerable devices found most secure settings using default “open” or inse- on a network. As production facilities continue to re- cure security configurations. duce human intervention, the practice of protecting The same challenge that applies to connected de- these devices at the gateway or network boundaries vices within the manufacturing facility often applies is no likely longer an effective solution (figure 8). to IoT-enabled consumer products as well. Smart systems grow antiquated quickly, and could poten- BUILDING CYBERSECURITY INTO THE tially lead consumer objects to be more vulnerable DESIGN PROCESS FROM THE START to cyberthreats. The threat may seem small with just Manufacturers may be feeling a growing respon- one object, but it widens significantly across a wide sibility to deploy hardened, almost military-grade set of connected devices—witness the recent Mirai connected devices. Many have articulated a need virus attack. To handle this threat, asset manage- for IoT device manufacturers to incorporate secure ment and technology strategy could become more coding practices that include planning, designing, essential than ever before. and incorporating cybersecurity leading practices from the beginning and throughout the hardware and software development life cycle.22 This secure

14 Managing risk in an age of connected production

Figure 8. Connected object imperatives and risks Secure, vigilant, Production life resilient cycle stage categorization Cyber imperative Objective

Connected object Secure Product design Employ secure software development life cycle to produce a functional and secure device

Vigilant Data protection Maintain the safety of sensitive data throughout the data life cycle

Resilient Remediation of attack Minimize the effects of an incident effects while quickly restoring operations and security

Deloitte University Press | dupress.deloitte.com software development life cycle (S-SDLC) incorpo- therefore need to develop approaches to maintain rates security gateways throughout the development protection: not only securely store all device, local, process to assess whether security controls are effec- and cloud-stored data but also quickly detect and re- tive, implements security leading practices, and uses port any conditions or activities that may jeopardize secure software code and libraries to produce a func- the security of those data. tional and secure device. Many of the vulnerabilities Protecting cloud data storage and data in motion identified by IoT product security assessments can often necessitates the use of strong encryption, be addressed early in the design process via S-SDLC artificial intelligence (AI), and machine learning security. It is often more costly and can be much solutions to create robust and responsive threat more difficult, if not impossible, to apply security intelligence, intrusion detection, and intrusion pre- as a patch at the end of a traditional development vention solutions. life cycle.23 As more IoT devices are connected to networks, po- PROTECTING DATA FROM tential attack surfaces can increase, along with risk CONNECTED DEVICES from compromised devices. These attack surfaces may not be exploitable or vulnerable today but may The vast amount of information created by IoT de- be easily exploited in months or years to come. Thus vices can be critical to an Industry 4.0 manufacturer. leaving devices unpatched and connected to the Industry 4.0–driven technologies such as advanced network is not likely feasible. The responsibility of analytics and machine learning can then process and securing these devices should not lie solely with the analyze this information and make critical real-time consumer or those who deploy the connected device; or near-real-time decisions based on that computa- instead, the responsibility should be shared with the tional analysis. These sensitive data are not limited device manufacturers, who may be best positioned to sensor and process information; they may also in- to implement the most effective security. clude a manufacturer’s intellectual property or even data related to privacy regulations. Indeed, close to LEVERAGING AI FOR THREAT DETECTION 70 percent of manufacturers in the Deloitte-MAPI survey transmit personal information to and from In August 2016, the Defense Advanced Research connected products, while just 55 percent encrypt Projects Agency’s (DARPA’s) Cyber Grand Chal- the information they send.24 lenge (CGC) culminated with the top seven teams submitting their AI platforms in what was billed as The safety of sensitive data throughout the data life the first “all machine” hacking competition. The CGC cycle will likely also need to be protected with the was announced in 2013 with the goal of identifying same sound security approach required to produce an AI cybersecurity platform or technology that can hardened devices. IoT device manufacturers would

15 Industry 4.0 and cybersecurity

scan networks, identify software vulnerabilities, and cyberattack, no organization is ever fully immune. apply patches without human intervention. DARPA Being resilient to attack begins with accepting the envisions AI platforms being utilized to dramati- fact that someday the organization could fall victim cally reduce the lengthy time required by humans to to an attack, and then carefully crafting the reaction. identify vulnerabilities and develop software secu- There are three important phases to consider when rity patches to occur in real or near-real time, thus addressing resilience: readiness, response, and reducing cyberattack risk. recovery. A truly vigilant threat detection capability may need • Readiness. An organization should be well to leverage the power of AI to identify the prover- prepared to efficiently deal with all aspects of bial needle in a haystack. Existing signature-based an incident. Clearly defined roles, responsibili- threat detection technologies, inundated with the ties, and actions should be identified. Thought- ever-increasing data produced by IoT devices, could ful preparation, using crisis simulations, inci- be pushed to their limits while trying to reassemble dent walk-throughs, and Wargaming exercises, data streams and perform stateful packet inspection. can help an organization identify gaps and ap- Even if these signature-based detection technologies ply effective remediation steps before a real can keep up with increasing traffic, they are still lim- incident occurs. ited in their ability to detect activities within their signature database. • Response. Management’s response should be well planned and effectively communicated The combination of ASR, S-SDLC, data protection, throughout an organization. A poorly executed secure and hardened device hardware and firmware, response plan can escalate the impact of an in- machine learning, and use of AI to power real-time cident and result in increased downtime, lost responses to threats may be critical in moving for- revenue, and damage to an organization’s repu- ward with a secure, vigilant, and resilient approach tation. These effects can last well beyond the to Industry 4.0–enabled devices. The failure to ad- actual incident. dress security risks, such as those demonstrated by Stuxnet and Mirai malware exploits, and to manu- • Recovery. The steps needed to return to nor- facture hardened and secure IoT devices may result mal operations and limit the damage to an or- in a cyber landscape where attacks to critical infra- ganization should be well planned and practiced. structure and attacks to manufacturing are crippling Post-event analysis should include incorporat- and commonplace.25 ing lessons learned into subsequent incident response plans. BEING RESILIENT WHEN ATTACKS INEVITABLY HIT HOME A resilient organization should minimize the effects of an incident while quickly restoring operations The careful application of secure and vigilant capa- and security. Preparing for an attack, understanding bilities can produce an extremely hardened target what to do when you are attacked, and quickly reme- that can be an effective deterrent to most attack- diating the effects of the attack should be completely ers. It is important to note, however, that while addressed, thoughtfully planned, and fully exercised. organizations can and should decrease their risk to

16 Managing risk in an age of connected production

Being secure, vigilant, and resil- ient in the age of Industry 4.0

EROES and ones—the bits that drive connect- may continue to introduce vast numbers of connect- ed companies today—are transforming man- ed devices and huge amounts of data that require Zufacturing throughout the value chain, from protection. the supply network to smart factory to connected The breadth of risks requires a secure, vigilant, and object. As the adoption and breadth of use of con- resilient approach to understand the dangers and nected technologies increase, cyber risks may grow address the threats: and change, and will likely look different for each stage of the value chain and each organization. Each • Be secure. Take a measured, risk-based ap- organization should adapt to the industrial ecosys- proach to what is secured and how to secure it. tem in the way that best fits their needs. Is your intellectual property safe? Is your supply chain or ICS environment vulnerable? There is no simple fix or single product or patch that an organization can apply to address the cyber risks • Be vigilant. Continually monitor systems, net- and threats presented by Industry 4.0. Connected works, devices, personnel, and the environment technologies already support critical business pro- for possible threats. Real-time threat intelli- cesses today, and these processes will likely only gence and AI are often required to understand grow more connected, integrated, and vulnerable in harmful actions and quickly identify threats the future. Organizations may thus need to rethink across the multitude of new connected devices their business continuity, disaster recovery, and that are being introduced. response plans to accommodate the increasingly complex and ubiquitous cyber environment. • Be resilient. An incident could happen. How would your organization respond? How long Regulation and industry standards are often reactive, would it take to recover? How quickly could you and “compliance” often represents the minimum remediate the effects of an incident? security posture. This does not usually achieve full security across the breadth of technologies in use—a As industry moves to capture the business value particular challenge, given that disruptors need only that comes with Industry 4.0, the need to address find the single weakest point to gain successful entry the cyber risk landscape with a secure, vigilant, and into an organization’s systems. This challenge may resilient response has likely never been greater. only continue to grow: Increasing connectivity and the need to gather and process real-time analytics

17 Industry 4.0 and cybersecurity

ENDNOTES

1. Kim Zetter, “An unprecedented look at Stuxnet, The world’s first digital weapon,” Wired, November 3, 2014, https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/.

2. For further information about Industry 4.0, see Brenna Sniderman, Monika Mahto, and Mark Cotteleer, Industry 4.0 and manufacturing ecosystems: Exploring the world of connected enterprises, Deloitte University Press, February 22, 2016, https://dupress.deloitte.com/content/dupress/dup-us-en/focus/industry-4-0/manufacturing- ecosystems-exploring-world-connected-enterprises.html.

3. For further information about digital supply networks, see Adam Mussomeli, Stephen Laaper, and Doug Gish, The rise of the digital supply network: Industry 4.0 enables the digital transformation of supply chains, Deloitte University Press, December 1, 2016, https://dupress.deloitte.com/content/dupress/dup-us-en/focus/industry-4-0/digital- transformation-in-supply-chain.html.

4. Ibid.

5. Bridget McCrea, “The evolution of supply chain collaboration software,” Logistics Management, September 2015.

6. Aron Hsiao, “Top ten risks eBay sellers face,” Balance, January 8, 2016, https://www.thebalance.com/top-ten- risks-ebay-sellers-face-1140349.

7. Harriet Green, “Serving up a better burger: How IoT and blockchain will reinvent the global supply chain,” Venture Beat, October 30, 2016, http://venturebeat.com/2016/10/30/serving-up-a-better-burger-how-iot-and- blockchain-will-reinvent-the-global-supply-chain/.

8. Stuart Trouton, Mark Vitale, and Jason Killmeyer, 3D opportunity for blockchain: Additive manufacturing links the digital thread, Deloitte University Press, November 16, 2016, https://dupress.deloitte.com/content/dupress/dup- us-en/focus/3d-opportunity/3d-printing-blockchain-in-manufacturing.html.

9. Judith Evans, “Cyber criminals target trading algorithms,” Financial Times, February 22, 2015, https://www.ft.com/ content/f8556c92-b1d9-11e4-8396-00144feab7de.

10. US Department of Homeland Security, Strategic principles for securing the Internet of Things, November 15, 2016; and Security tenets for life critical embedded systems, November 20, 2015.

11. The term “life-critical embedded system” extends to any embedded system across all industries that need to protect human life, prevent loss or severe damage to equipment, and prevent environmental harm.

12. Trina Huelsman et al., Cyber risk in advanced manufacturing, Deloitte and MAPI, 2016, https://www2.deloitte.com/ us/en/pages/manufacturing/articles/cyber-risk-in-advanced-manufacturing.html.

13. Sniderman, Mahto, and Cotteleer, Industry 4.0 and manufacturing ecosystems.

14. Brenna Sniderman et al., The design of things: Building in IoT connectivity: The Internet of Things in product design, Deloitte University Press, September 12, 2016, https://dupress.deloitte.com/content/dupress/dup-us-en/focus/ internet-of-things/connected-products-designing-for-internet-of-things.html.

15. Ron van der Meulen, “Gartner says 6.4 billion connected ‘things’ will be in use,” Gartner, November 10, 2015, http://www.gartner.com/newsroom/id/3165317.

16. Huelsman et al., Cyber risk in advanced manufacturing.

17. Nicky Wolf, “DDoS attacks that disrupted Internet was largest of its kind in history, experts say,” Guardian, October 26, 2016, https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet.

18 Managing risk in an age of connected production

18. Alex Hern, “Chinese webcam maker recalls devices after cyberattack link,” Guardian, October 24, 2016, https:// www.theguardian.com/technology/2016/oct/24/chinese-webcam-maker-recalls-devices-cyberattack-ddos- internet-of-things-xiongmai.

19. Matthew E. Luallen and Barbara Filkins, Results of SANS SCADA Security Survey, SANS Institute, February 2013, https://www.sans.org/reading-room/whitepapers/analyst/results-scada-security-survey-35135.

20. Sniderman et al., The design of things.

21. Huelsman et al., Cyber risk in advanced manufacturing.

22. Broadband Internet Technical Advisory Group, Internet of Things (IoT) security and privacy recommen- dations, November 2016, http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_ and_Privacy_Recommendations.pdf.

23. Sniderman et al., The design of things.

24. Huelsman et al., Cyber risk in advanced manufacturing.

25. Nicole Perlroth, “Hackers used new weapons to disrupt major websites across U.S.,” New York Times, October 22, 2016, http://www.nytimes.com/2016/10/22/business/internet-problems-attack.html.

19 Industry 4.0 and cybersecurity

ABOUT THE AUTHORS

RENÉ WASLO

René Waslo is a cyber risk principal in the Advisory practice of Deloitte & Touche LLP, with a focus on cyber strategy development, threat intelligence, incident response, data loss prevention, application in- tegrity, identity and access management, and data security. Her primary client focus is on Deloitte’s multinational clients in the Chemicals and Specialty Materials, and Technology, Media, and Telecom- munications practices.

TYLER LEWIS

Tyler Lewis is a cyber risk senior manager in the Advisory practice of Deloitte & Touche LLP, focused on leveraging technology in conjunction with business insight and cybersecurity expertise to improve operational capabilities, governance, and risk management within the consumer products marketplace.

RAMSEY HAJJ

Ramsey Hajj is a senior manager in the Cyber Risk Services practice specializing in security architecture around ICS and identity and access management implementation, and assessment services with a focus on manufacturing and distribution clients. He brings over 18 years of technical experience using emerg- ing technologies to solve business problems. He holds an MSc in information systems and has been a CISSP since 2003.

ROBERT CARTON

Robert Carton is a specialist master in the Advisory practice of Deloitte & Touche LLP and serves as a subject-matter expert in automotive and IoT device security. He has over 18 years of cybersecurity ex- perience and helps clients identify solutions for their most complex cybersecurity challenges to include enterprise and connected device security.

20 Managing risk in an age of connected production

ACKNOWLEDGEMENTS

The authors would like to thank Brenna Sniderman of Deloitte Services LP for her contributions to this article.

CONTACTS

Sean Peasley Ramsey Hajj Partner Senior manager Deloitte Advisory Cyber Risk Services Deloitte & Touche LLP Deloitte & Touche LLP Mobile: +1 714 334 6600 +1 561 809 2314 [email protected] [email protected]

René Waslo Robert Carton Principal Specialist master Cyber Risk Services Cyber Threat Management Deloitte & Touche LLP Deloitte & Touche LLP Mobile: +1 412 400 1638 | Office: +1 412 338 7302 Office: +1 855 816 2404 | Mobile: +1 858 335 [email protected] 9183 [email protected] Tyler Lewis Senior manager Cyber Risk Services Deloitte & Touche LLP Mobile: +1 214 504 4902 | Office: +1 214 840 1072 [email protected]

21 Follow @DU_Press Sign up for Deloitte University Press updates at www.dupress.deloitte.com.

About Deloitte University Press Deloitte University Press publishes original articles, reports and periodicals that provide insights for businesses, the public sector and NGOs. Our goal is to draw upon research and experience from throughout our professional services organization, and that of coauthors in academia and business, to advance the conversation on a broad spectrum of topics of interest to executives and government leaders. Deloitte University Press is an imprint of Deloitte Development LLC.

About this publication This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or its and their affiliates are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. None of Deloitte Touche Tohmatsu Limited, its member firms, or its and their respective affiliates shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms. Copyright © 2017 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited